MYNEWT-518 - Clean up previous commit.

The previous commit for this ticket left the code in a working state.
However, it was not possible for image management to distinguish between
the test and permanent states.

Now, these two states are indicated by the addition of a new swap type:
BOOT_SWAP_TYPE_PERMANENT.
diff --git a/boot/bootutil/design.txt b/boot/bootutil/design.txt
index eb5badb..bfa12d2 100644
--- a/boot/bootutil/design.txt
+++ b/boot/bootutil/design.txt
@@ -125,6 +125,79 @@
 In addition to the two image slots, the boot loader requires a scratch area to
 allow for reliable image swapping.
 
+*** BOOT STATES
+
+Logically, you can think of a pair of values associated with each image slot:
+pending and confirmed.  On startup, the boot loader determines the state of the
+device by inspecting each pair of values.  These values have the following
+meanings:
+
+* pending: Indicates whether the image should be used on the next reboot; can
+  hold one of three values:
+    " " (unset):     Don't use image on next boot
+    "T" (temporary): Use image on next boot; absent subsequent confirm command,
+                     revert to original image on second reboot.
+    "P" (permanent): Use image on next boot and all subsequent boots
+
+* confirmed: always use image unless excluded by a test image.
+
+In English, when the user wants to run the secondary image, they set the
+pending flag for the second slot and reboot the device.  On startup, the boot
+loader will swap the two images in flash, clear the secondary slot's pending
+flag, and run the newly-copied image in slot 0.  If the user set the pending
+flag to "temporary," then this is only a temporary state; if the device reboots
+again, the boot loader swaps the images back to their original slots and boots
+into the original image.  If the user doesn't want to revert to the original
+state, they can make the current state permanent by setting the confirmed flag
+in slot 0.
+
+Switching to an alternate image is a two-step process (set + confirm) to
+prevent a device from becoming "bricked" by bad firmware.  If the device
+crashes immediately upon booting the second image, the boot loader reverts to
+the working image, rather than repeatedly rebooting into the bad image.
+
+Alternatively, if the user is confident that the second image is good, they can
+set and confirm in a single action by setting the pending flag to "permanent."
+
+The following set of tables illustrate the four possible states that the device
+can be in:
+
+                   | slot-0 | slot-1 |
+    ---------------+--------+--------|
+           pending |        |        |
+         confirmed |   X    |        |
+    ---------------+--------+--------'
+    Image 0 confirmed;               |
+    No change on reboot              |
+    ---------------------------------'
+
+                   | slot-0 | slot-1 |
+    ---------------+--------+--------|
+           pending |        |   T    |
+         confirmed |   X    |        |
+    ---------------+--------+--------'
+    Image 0 confirmed;               |
+    Test image 1 on next reboot      |
+    ---------------------------------'
+
+                   | slot-0 | slot-1 |
+    ---------------+--------+--------|
+           pending |        |   P    |
+         confirmed |   X    |        |
+    ---------------+--------+--------'
+    Image 0 confirmed;               |
+    Use image 1 permanently on boot  |
+    ---------------------------------'
+
+                   | slot-0 | slot-1 |
+    ---------------+--------+--------|
+           pending |        |        |
+         confirmed |        |   X    |
+    ---------------+--------+--------'
+    Testing image 0;                 |
+    Revert to image 1 on next reboot |
+    ---------------------------------'
+
 *** BOOT VECTOR
 
 At startup, the boot loader determines which of the above three states the
@@ -190,7 +263,7 @@
                      | slot-0 | slot-1 |
     -----------------+--------+--------|
                magic | Unset  | Unset  |
-            image-ok | Any    | N/A    |
+            image-ok | Any    | Any    |
     -----------------+--------+--------'
              pending |        |        |
           confirmed  |   X    |        |
@@ -203,22 +276,33 @@
                      | slot-0 | slot-1 |
     -----------------+--------+--------|
                magic | Any    | Good   |
-            image-ok | Any    | [*]    |
+            image-ok | Any    | Unset  |
     -----------------+--------+--------'
-             pending |        |   X    |
+             pending |        |   T    |
           confirmed  |   X    |        |
-    -----------------+--------+--------+----------------------------'
-     swap: test                                                     |
-     note: slot-1 image-ok val indicates whether swap is permanent; |
-           (0xff=temporary; 0x01=permanent)                         |
-    ----------------------------------------------------------------'
-
+    -----------------+--------+--------'
+     swap: test                        |
+    -----------------------------------'
+    
 
     State III
                      | slot-0 | slot-1 |
     -----------------+--------+--------|
+               magic | Any    | Good   |
+            image-ok | Any    | 0x01   |
+    -----------------+--------+--------'
+             pending |        |   P    |
+          confirmed  |   X    |        |
+    -----------------+--------+--------'
+     swap: permanent                   |
+    -----------------------------------'
+    
+
+    State IV
+                     | slot-0 | slot-1 |
+    -----------------+--------+--------|
                magic | Good   | Unset  |
-            image-ok | 0xff   | N/A    |
+            image-ok | 0xff   | Any    |
     -----------------+--------+--------'
              pending |        |        |
           confirmed  |        |   X    |
@@ -227,11 +311,11 @@
     -----------------------------------'
 
 
-    State IV
+    State V
                      | slot-0 | slot-1 |
     -----------------+--------+--------|
                magic | Good   | Unset  |
-            image-ok | 0x01   | N/A    |
+            image-ok | 0x01   | Any    |
     -----------------+--------+--------'
              pending |        |        |
           confirmed  |   X    |        |
@@ -266,73 +350,16 @@
 
 C. Boot into image in slot 0.
 
-*** BOOT STATES
-
-Logically, you can think of a pair of flags associated with each image slot:
-pending and confirmed.  On startup, the boot loader determines the state of the
-device by inspecting each pair of flags.  These flags have the following
-meanings:
-
-* pending: image gets tested on next reboot; absent subsequent confirm command,
-           revert to original image on second reboot.
-* confirmed: always use image unless excluded by a test image.
-
-In English, when the user wants to run the secondary image, they set the
-pending flag for the second slot and reboot the device.  On startup, the boot
-loader will swap the two images in flash, clear the secondary slot's pending
-flag, and run the newly-copied image in slot 0.  This is a temporary state; if
-the device reboots again, the boot loader swaps the images back to their
-original slots and boots into the original image.  If the user doesn't want to
-revert to the original state, they can make the current state permanent by
-setting the confirmed flag in slot 0.
-
-Switching to an alternate image is a two-step process (set + confirm) to
-prevent a device from becoming "bricked" by bad firmware.  If the device
-crashes immediately upon booting the second image, the boot loader reverts to
-the working image, rather than repeatedly rebooting into the bad image.
-
-Alternatively, if the user is confident that the alternate image is good, they
-can set and confirm in a single action.
-
-The following set of tables illustrate the three possible states that the
-device can be in:
-
-                   | slot-0 | slot-1 |
-    ---------------+--------+--------|
-           pending |        |        |
-         confirmed |   X    |        |
-    ---------------+--------+--------'
-    Image 0 confirmed;               |
-    No change on reboot              |
-    ---------------------------------'
-
-                   | slot-0 | slot-1 |
-    ---------------+--------+--------|
-           pending |        |   X    |
-         confirmed |   X    |        |
-    ---------------+--------+--------'
-    Image 0 confirmed;               |
-    Test image 1 on next reboot      |
-    ---------------------------------'
-
-                   | slot-0 | slot-1 |
-    ---------------+--------+--------|
-           pending |        |        |
-         confirmed |        |   X    |
-    ---------------+--------+--------'
-    Testing image 0;                 |
-    Revert to image 1 on next reboot |
-    ---------------------------------'
-
 
 
 *** IMAGE SWAPPING
 
 The boot loader swaps the contents of the two image slots for two reasons:
-    * User has issued an "image test" operation; the image in slot-1 should be
-      run once (state II).
+    * User has issued a "set pending" operation; the image in slot-1 should be
+      run once (state II) or repeatedly (state III), depending on whether a
+      permanent swap was specified.
     * Test image rebooted without being confirmed; the boot loader should
-      revert to the original image currently in slot-1 (state III).
+      revert to the original image currently in slot-1 (state IV).
 
 If the boot vector indicates that the image in the secondary slot should be
 run, the boot loader needs to copy it to the primary slot.  The image currently
@@ -362,21 +389,32 @@
 
     3. Persist completion of swap procedure to slot 0 image trailer.
 
-The additional caveats in step 2f are necessary so that the slot 1 image trailer
-can be written by the user at a later time.  With the image trailer unwritten,
-the user can test the image in slot 1 (i.e., transition to state II).
+The additional caveats in step 2f are necessary so that the slot 1 image
+trailer can be written by the user at a later time.  With the image trailer
+unwritten, the user can test the image in slot 1 (i.e., transition to state
+II).
 
-The particulars of step 3 vary depending on whether an image is being tested or
-reverted:
+The particulars of step 3 vary depending on whether an image is being tested,
+permanently used, or reverted:
     * test:
         o Write slot0.copy_done = 1
-        (should now be in state III)
+        (swap caused the following values to be written:
+            slot0.magic = BOOT_MAGIC
+            slot0.image_ok = Unset)
+        (should now be in state IV)
+
+    * permanent:
+        o Write slot0.copy_done = 1
+        (swap caused the following values to be written:
+            slot0.magic = BOOT_MAGIC
+            slot0.image_ok = 0x01)
+        (should now be in state V)
 
     * revert:
         o Write slot0.magic = BOOT_MAGIC
         o Write slot0.copy_done = 1
         o Write slot0.image_ok = 1
-        (should now be in state IV)
+        (should now be in state V)
 
 *** SWAP STATUS
 
diff --git a/boot/bootutil/include/bootutil/bootutil.h b/boot/bootutil/include/bootutil/bootutil.h
index 6d62aaa..0947f50 100644
--- a/boot/bootutil/include/bootutil/bootutil.h
+++ b/boot/bootutil/include/bootutil/bootutil.h
@@ -26,10 +26,19 @@
 extern "C" {
 #endif
 
+/** Just boot whatever is in slot 0. */
 #define BOOT_SWAP_TYPE_NONE     1
+
+/** Swap to slot 1.  Absent a confirm command, revert back on next boot. */
 #define BOOT_SWAP_TYPE_TEST     2
-#define BOOT_SWAP_TYPE_REVERT   3
-#define BOOT_SWAP_TYPE_FAIL     4
+
+/** Swap to slot 1 permanently. */
+#define BOOT_SWAP_TYPE_PERM     3
+
+/** Swap back to alternate slot.  A confirm changes this state to NONE. */
+#define BOOT_SWAP_TYPE_REVERT   4
+
+#define BOOT_SWAP_TYPE_FAIL     0xff
 
 struct image_header;
 /**
diff --git a/boot/bootutil/src/bootutil_misc.c b/boot/bootutil/src/bootutil_misc.c
index c85f454..87895ba 100644
--- a/boot/bootutil/src/bootutil_misc.c
+++ b/boot/bootutil/src/bootutil_misc.c
@@ -45,6 +45,7 @@
     uint8_t bsw_magic_slot0;
     uint8_t bsw_magic_slot1;
     uint8_t bsw_image_ok_slot0;
+    uint8_t bsw_image_ok_slot1;
 
     uint8_t bsw_swap_type;
 };
@@ -58,7 +59,7 @@
         /*          | slot-0     | slot-1     |
          *----------+------------+------------|
          *    magic | Unset      | Unset      |
-         * image-ok | Any        | N/A        |
+         * image-ok | Any        | Any        |
          * ---------+------------+------------'
          * swap: none                         |
          * -----------------------------------'
@@ -66,6 +67,7 @@
         .bsw_magic_slot0 =      BOOT_MAGIC_UNSET,
         .bsw_magic_slot1 =      BOOT_MAGIC_UNSET,
         .bsw_image_ok_slot0 =   0,
+        .bsw_image_ok_slot1 =   0,
         .bsw_swap_type =        BOOT_SWAP_TYPE_NONE,
     },
 
@@ -73,24 +75,39 @@
         /*          | slot-0     | slot-1     |
          *----------+------------+------------|
          *    magic | Any        | Good       |
-         * image-ok | Any        | [*]        |
-         * ---------+------------+------------+---------------------------'
-         * swap: test                                                     |
-         * note: slot-1 image-ok val indicates whether swap is permanent; |
-         *       (0xff=temporary; 0x01=permanent)                         |
-         * ---------------------------------------------------------------'
+         * image-ok | Any        | Unset      |
+         * ---------+------------+------------`
+         * swap: test                         |
+         * -----------------------------------'
          */
         .bsw_magic_slot0 =      0,
         .bsw_magic_slot1 =      BOOT_MAGIC_GOOD,
         .bsw_image_ok_slot0 =   0,
+        .bsw_image_ok_slot1 =   0xff,
         .bsw_swap_type =        BOOT_SWAP_TYPE_TEST,
     },
 
     {
         /*          | slot-0     | slot-1     |
          *----------+------------+------------|
+         *    magic | Any        | Good       |
+         * image-ok | Any        | 0x01       |
+         * ---------+------------+------------`
+         * swap: permanent                    |
+         * -----------------------------------'
+         */
+        .bsw_magic_slot0 =      0,
+        .bsw_magic_slot1 =      BOOT_MAGIC_GOOD,
+        .bsw_image_ok_slot0 =   0,
+        .bsw_image_ok_slot1 =   0x01,
+        .bsw_swap_type =        BOOT_SWAP_TYPE_PERM,
+    },
+
+    {
+        /*          | slot-0     | slot-1     |
+         *----------+------------+------------|
          *    magic | Good       | Unset      |
-         * image-ok | 0xff       | N/A        |
+         * image-ok | 0xff       | Any        |
          * ---------+------------+------------'
          * swap: revert (test image running)  |
          * -----------------------------------'
@@ -98,6 +115,7 @@
         .bsw_magic_slot0 =      BOOT_MAGIC_GOOD,
         .bsw_magic_slot1 =      BOOT_MAGIC_UNSET,
         .bsw_image_ok_slot0 =   0xff,
+        .bsw_image_ok_slot1 =   0,
         .bsw_swap_type =        BOOT_SWAP_TYPE_REVERT,
     },
 
@@ -105,7 +123,7 @@
         /*          | slot-0     | slot-1     |
          *----------+------------+------------|
          *    magic | Good       | Unset      |
-         * image-ok | 0x01       | N/A        |
+         * image-ok | 0x01       | Any        |
          * ---------+------------+------------'
          * swap: none (confirmed test image)  |
          * -----------------------------------'
@@ -113,6 +131,7 @@
         .bsw_magic_slot0 =      BOOT_MAGIC_GOOD,
         .bsw_magic_slot1 =      BOOT_MAGIC_UNSET,
         .bsw_image_ok_slot0 =   0x01,
+        .bsw_image_ok_slot1 =   0,
         .bsw_swap_type =        BOOT_SWAP_TYPE_NONE,
     },
 };
@@ -345,7 +364,9 @@
             (table->bsw_magic_slot1     == 0    ||
              table->bsw_magic_slot1     == state_slot1.magic)           &&
             (table->bsw_image_ok_slot0  == 0    ||
-             table->bsw_image_ok_slot0  == state_slot0.image_ok)) {
+             table->bsw_image_ok_slot0  == state_slot0.image_ok)        &&
+            (table->bsw_image_ok_slot1  == 0    ||
+             table->bsw_image_ok_slot1  == state_slot1.image_ok)) {
 
             return table->bsw_swap_type;
         }
diff --git a/boot/bootutil/src/loader.c b/boot/bootutil/src/loader.c
index e4dfc61..fc20fdb 100644
--- a/boot/bootutil/src/loader.c
+++ b/boot/bootutil/src/loader.c
@@ -143,6 +143,7 @@
 static const uint8_t boot_swap_trans_table[][2] = {
     /*     From                     To             */
     { BOOT_SWAP_TYPE_REVERT,    BOOT_SWAP_TYPE_NONE },
+    { BOOT_SWAP_TYPE_PERM,      BOOT_SWAP_TYPE_NONE },
     { BOOT_SWAP_TYPE_TEST,      BOOT_SWAP_TYPE_REVERT },
 };
 
@@ -974,6 +975,7 @@
         swap_type = boot_validated_swap_type();
         switch (swap_type) {
         case BOOT_SWAP_TYPE_TEST:
+        case BOOT_SWAP_TYPE_PERM:
         case BOOT_SWAP_TYPE_REVERT:
             rc = boot_copy_image(&bs);
             assert(rc == 0);
@@ -1040,6 +1042,7 @@
         break;
 
     case BOOT_SWAP_TYPE_TEST:
+    case BOOT_SWAP_TYPE_PERM:
         slot = 1;
         boot_finalize_test_swap();
         break;
diff --git a/boot/bootutil/test/src/boot_test_utils.c b/boot/bootutil/test/src/boot_test_utils.c
index 355a5d9..30297c8 100644
--- a/boot/bootutil/test/src/boot_test_utils.c
+++ b/boot/bootutil/test/src/boot_test_utils.c
@@ -517,6 +517,10 @@
                 expected_swap_type = BOOT_SWAP_TYPE_REVERT;
                 break;
 
+            case BOOT_SWAP_TYPE_PERM:
+                expected_swap_type = BOOT_SWAP_TYPE_NONE;
+                break;
+
             case BOOT_SWAP_TYPE_REVERT:
                 expected_swap_type = BOOT_SWAP_TYPE_NONE;
                 break;
diff --git a/boot/bootutil/test/src/testcases/boot_test_permanent.c b/boot/bootutil/test/src/testcases/boot_test_permanent.c
index cb156af..489ebd6 100644
--- a/boot/bootutil/test/src/testcases/boot_test_permanent.c
+++ b/boot/bootutil/test/src/testcases/boot_test_permanent.c
@@ -49,6 +49,5 @@
     rc = boot_set_pending(1);
     TEST_ASSERT_FATAL(rc == 0);
 
-    /* A permanent swap exhibits the same behavior as a revert. */
-    boot_test_util_verify_all(BOOT_SWAP_TYPE_REVERT, &hdr0, &hdr1);
+    boot_test_util_verify_all(BOOT_SWAP_TYPE_PERM, &hdr0, &hdr1);
 }
diff --git a/boot/bootutil/test/src/testcases/boot_test_permanent_continue.c b/boot/bootutil/test/src/testcases/boot_test_permanent_continue.c
index 83ad692..2417df0 100644
--- a/boot/bootutil/test/src/testcases/boot_test_permanent_continue.c
+++ b/boot/bootutil/test/src/testcases/boot_test_permanent_continue.c
@@ -58,6 +58,5 @@
     rc = boot_write_status(&status);
     TEST_ASSERT_FATAL(rc == 0);
 
-    /* A permanent swap exhibits the same behavior as a revert. */
-    boot_test_util_verify_all(BOOT_SWAP_TYPE_REVERT, &hdr0, &hdr1);
+    boot_test_util_verify_all(BOOT_SWAP_TYPE_PERM, &hdr0, &hdr1);
 }